Full Disclosure mailing list archives
Re: Symlink attack techniques
From: Joachim Schipper <j.schipper () math uu nl>
Date: Thu, 15 Dec 2005 18:27:09 +0100
On Thu, Dec 15, 2005 at 01:09:49PM +0000, Werner Schalk wrote:
Hi, thanks for all the replies, I really appreciate this.
basically the cronjob is something like: 15 4 * * 6 root /usr/bin/find /home/userA -type f -print > /tmp/report.txt Consequently as userB I have no way of influencing what information is printed by the find command to /tmp/report.txt but I can surely control /tmp/report.txt. Any other ideas of how to exploit this to gain root access?
This is not generally possible. It's likely to viewed, though, and you can attack the viewing application (bad email clients, old vim versions, and most browsers apply). Of course, symlinking it to /etc/passwd is fun but ultimately pretty useless. Joachim _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Symlink attack techniques Werner Schalk (Dec 14)
- Re: Symlink attack techniques H D Moore (Dec 14)
- Re: Symlink attack techniques Werner Schalk (Dec 15)
- Re: Symlink attack techniques Joachim Schipper (Dec 15)
- Re: Symlink attack techniques James Longstreet (Dec 15)
- Re: Symlink attack techniques Valdis . Kletnieks (Dec 15)
- Re: Symlink attack techniques Tim (Dec 15)
- Re: Symlink attack techniques Werner Schalk (Dec 15)
- Re: Symlink attack techniques H D Moore (Dec 14)